diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index b9efc06863..d965ae0c03 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, QakBot Process Creation, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 65d1f87cee..ef0446150f 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, Ngrok Process Execution, Netsh Port Forwarding, SSH X11 Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Credentials Extraction, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Many Downloads From Several Binaries, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Linux Binary Masquerading, RTLO Character, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, SSH X11 Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, Setuid Or Setgid Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Credentials Extraction, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Many Downloads From Several Binaries, Dynamic DNS Contacted"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1620", "score": 100, "comment": "Rules: Linux Fileless Execution"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index 8453f67410..aab7ea3833 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Citrix NetScaler (ADC) Actions Blocked"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 4675ae8c18..16cbc75f7c 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, WithSecure Elements Critical Severity, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, WithSecure Elements Critical Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, PsExec Process, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected, WithSecure Elements Critical Severity"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, WithSecure Elements Critical Severity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, WithSecure Elements Critical Severity, Login Brute-Force Successful On SentinelOne EDR Management Console, PsExec Process, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
index b6a13cdbcf..e3d75a64ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_041e915e-2fb6-4604-9b24-902c9daa2d3c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Mimecast Email Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
index 6a1e7f34a3..54255a2285 100644
--- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Google Workspace Blocked Sender, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace User Deletion, Google Workspace User Suspended, Google Workspace Admin Deletion"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Google Workspace External Sharing, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Google Workspace Login Brute-Force"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Admin Modification, Google Workspace Domain Delegation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Google Workspace Blocked Sender"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Suspended, Google Workspace User Deletion"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation, Google Workspace Account Warning"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Google Workspace External Sharing, Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 0e107c7707..b4cb0525dd 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Alert, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, ISO LNK Infection Chain, Microsoft Defender XDR Endpoint Alert, Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender XDR Office 365 Alert, SquirrelWaffle Malspam Execution Loading DLL, HTA Infection Chains, Microsoft Defender XDR Cloud App Security Alert, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender XDR Alert, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender XDR Endpoint Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Defender XDR Office 365 Alert, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender XDR Cloud App Security Alert, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender XDR Alert, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Microsoft Defender XDR Endpoint Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Cloud App Security Alert, Userinit Wrong Parent, Searchindexer Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Sticky Key Like Backdoor Usage, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Python HTTP Server, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, Microsoft Defender XDR Cloud App Security Alert, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Defender XDR Alert, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Winword Document Droppers, Microsoft Defender XDR Office 365 Alert, ISO LNK Infection Chain, Microsoft Defender XDR Endpoint Alert, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Microsoft Defender XDR Cloud App Security Alert, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Microsoft Defender XDR Alert, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Microsoft Defender XDR Office 365 Alert, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Microsoft Defender XDR Endpoint Alert, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Wininit Wrong Parent, Userinit Wrong Parent, Exfiltration Via Pscp, Microsoft Defender XDR Cloud App Security Alert, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, Microsoft Defender XDR Alert, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Microsoft Defender XDR Office 365 Alert, Csrss Wrong Parent, Microsoft Defender XDR Endpoint Alert, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Wininit Wrong Parent, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process, Suspicious Email Attachment Received"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index 91c84b5c70..62c157a784 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 5f4c17e461..96690ecea7 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, Explorer Process Executing HTA File, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Trend Micro Apex One Malware Alert, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Data Loss Prevention Alert, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Trend Micro Apex One Malware Alert, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, Exfiltration Via Pscp, OneNote Suspicious Children Process, Trend Micro Apex One Malware Alert, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Python HTTP Server, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HTA Infection Chains, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, Trend Micro Apex One Data Loss Prevention Alert, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Trend Micro Apex One Malware Alert, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Trend Micro Apex One Data Loss Prevention Alert, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Trend Micro Apex One Malware Alert, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert, SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Impacket Addcomputer"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
index 4bd49aabca..cac366962d 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index 3d4b424aaa..a3a464d98d 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), Malspam Execution Registering Malicious DLL, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Not Mitigated, ZIP LNK Infection Chain, SentinelOne EDR Threat Mitigation Report Kill Success, MS Office Product Spawning Exe in User Dir, SentinelOne EDR SSO User Added, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Logged In To The Management Console, HTA Infection Chains, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Success"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Login Failed Brute-Force On SentinelOne EDR Management Console, Socat Reverse Shell Detection, WMImplant Hack Tool, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious PowerShell Keywords, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, SentinelOne EDR Threat Detected (Malicious), PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, SentinelOne EDR Custom Rule Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, Suspicious Taskkill Command, SentinelOne EDR Threat Detected (Suspicious), Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR SSO User Added, PowerShell Commands Invocation, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Phorpiex DriveMgr Command, SentinelOne EDR User Failed To Log In To The Management Console, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Logged In To The Management Console, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Agent Disabled, PowerShell Invoke Expression With Registry, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious File Name, Linux Bash Reverse Shell, SentinelOne EDR Threat Mitigation Report Quarantine Success"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), SolarWinds Wrong Child Process, SentinelOne EDR Custom Rule Alert, PsExec Process, SentinelOne EDR Threat Detected (Suspicious), Usage Of Sysinternals Tools, SentinelOne EDR Malicious Threat Not Mitigated, OneNote Suspicious Children Process, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR SSO User Added, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Failed To Log In To The Management Console, Usage Of Procdump With Common Arguments, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, Malspam Execution Registering Malicious DLL, Suspicious Desktopimgdownldr Execution, Control Panel Items, CertOC Loading Dll, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Formbook Hijacked Process Command, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, WMI Fingerprint Commands, Discovery Commands Correlation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Custom Rule Alert, Malspam Execution Registering Malicious DLL, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, Login Failed Brute-Force On SentinelOne EDR Management Console, ISO LNK Infection Chain, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Cobalt Strike Default Beacons Names, SentinelOne EDR Threat Mitigation Report Kill Success, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Detected (Suspicious), WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Custom Rule Alert, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Mitigation Report Quarantine Failed, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious Taskkill Command, SentinelOne EDR Threat Detected (Malicious), QakBot Process Creation, Linux Bash Reverse Shell, SentinelOne EDR User Failed To Log In To The Management Console, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, SentinelOne EDR Threat Mitigation Report Kill Success, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Detected (Suspicious), PsExec Process, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SolarWinds Wrong Child Process, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, Usage Of Procdump With Common Arguments, SentinelOne EDR User Logged In To The Management Console, OneNote Suspicious Children Process, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, Login Failed Brute-Force On SentinelOne EDR Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Usage Of Sysinternals Tools, SentinelOne EDR Threat Mitigation Report Kill Success, Login Brute-Force Successful On SentinelOne EDR Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Suspicious desktop.ini Action"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index ed01a4d69c..3dbfe9f6b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare WAF Correlation Alerts, Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop, Cloudflare WAF Correlation Alerts"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index be776a04e5..8465d951de 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Winword Document Droppers, Suspicious Outlook Child Process, HTA Infection Chains, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, PsExec Process, Winword wrong parent, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Exfiltration Via Pscp, OneNote Suspicious Children Process, Windows Update LolBins, PsExec Process, Winword wrong parent, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HTA Infection Chains, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, ISO LNK Infection Chain"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Windows Update LolBins, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Explorer Wrong Parent, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 2904cc8e97..82cd045453 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Windows Credential Editor Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious Outlook Child Process, HTA Infection Chains, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Smss Wrong Parent, OneNote Suspicious Children Process, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Non-Legitimate TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Outlook Child Process, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, Mimikatz Basic Commands, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HTA Infection Chains, ISO LNK Infection Chain, Download Files From Non-Legitimate TLDs, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, PsExec Process, Userinit Wrong Parent, Exfiltration Via Pscp, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Csrss Wrong Parent, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 6686906c0e..ad5b4e278b 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 1e536e84a8..0bb9ec9f77 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool, Password Change Brute-Force On AzureAD"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication, Authentication Impossible Travel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Successful Password Spraying From Single IP Address, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Login Brute-Force Successful On AzureAD From Single IP Address, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Login Failed Brute-Force From Single IP Address, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, Password Change Brute-Force On AzureAD, RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Authentication Impossible Travel, Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 463c526870..05eaf7fcee 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
index 2db1f6f948..05f68f90ec 100644
--- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection High Severity, ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity, ExtraHop Reveal(x) 360 Intrusion Detection High Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 3e7a4ea18b..130d870a5c 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, QakBot Process Creation, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
index 3fa7a50fb7..1630bd667b 100644
--- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 1eeba36454..e8f413c685 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Low Severity, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection High Severity, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection Low Severity, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Informational Severity, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, HTA Infection Chains, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, CrowdStrike Falcon Identity Protection Detection Low Severity, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, CrowdStrike Falcon Identity Protection Detection Critical Severity, Exploiting SetupComplete.cmd CVE-2019-1378, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, CrowdStrike Falcon Identity Protection Detection High Severity, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, CrowdStrike Falcon Intrusion Detection, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Identity Protection Detection Informational Severity, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, CrowdStrike Falcon Intrusion Detection Low Severity, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, CrowdStrike Falcon Intrusion Detection Informational Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, CrowdStrike Falcon Identity Protection Detection Medium Severity, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, Winrshost Wrong Parent, Suspicious DNS Child Process, CrowdStrike Falcon Intrusion Detection Critical Severity, Wsmprovhost Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection, Dllhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Intrusion Detection Low Severity, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Taskhost Wrong Parent, Rare Logonui Child Found, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Usage Of Procdump With Common Arguments, CrowdStrike Falcon Intrusion Detection High Severity, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection Low Severity, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, CrowdStrike Falcon Mobile Detection Informational Severity, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection High Severity, DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection Critical Severity, CrowdStrike Falcon Mobile Detection Medium Severity, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, IcedID Execution Using Excel, Suspicious Outlook Child Process, HTA Infection Chains, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Identity Protection Detection High Severity, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Identity Protection Detection Medium Severity, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection Critical Severity, ISO LNK Infection Chain, CrowdStrike Falcon Identity Protection Detection Low Severity, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection Critical Severity, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, PowerShell Commands Invocation, Suspicious File Name, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, CrowdStrike Falcon Identity Protection Detection High Severity, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Identity Protection Detection Medium Severity, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection Critical Severity, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, CrowdStrike Falcon Identity Protection Detection Low Severity, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, CrowdStrike Falcon Intrusion Detection Low Severity, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, CrowdStrike Falcon Identity Protection Detection Critical Severity, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Windows Update LolBins, CrowdStrike Falcon Identity Protection Detection High Severity, Gpscript Suspicious Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, CrowdStrike Falcon Intrusion Detection Critical Severity, Csrss Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, Csrss Child Found, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Logonui Wrong Parent, CrowdStrike Falcon Identity Protection Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection Medium Severity, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, CrowdStrike Falcon Mobile Detection Critical Severity, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, CrowdStrike Falcon Mobile Detection Informational Severity, DNS Tunnel Technique From MuddyWater, CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Low Severity"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
index 4f42cc2077..6826f45b10 100644
--- a/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23813540-b658-48dd-b030-e9b92168bbf4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, HTA Infection Chains"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Microsoft Office Creating Suspicious File, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, HTA Infection Chains"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Daspren Parad [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading, RTLO Character, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Daspren Parad Malicious Behavior"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 01a56844ba..6f5e7fe81d 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index b6541313d2..fce8eb6b15 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, WMI DLL Loaded Via Office, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Malicious PowerShell Keywords, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Aspnet Compiler, Powershell Web Request, In-memory PowerShell, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Outlook Child Process, PowerShell Credential Prompt, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, PowerShell Download From URL, Suspicious Scripting In A WMI Consumer, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Detection of default Mimikatz banner, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, Alternate PowerShell Hosts Pipe, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets, Suspicious File Name"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspect Svchost Memory Access, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Malware Protection Engine Crash, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Malware Protection Engine Crash, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, DCSync Attack, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Transfering Files With Credential Data Via Network Shares, Grabbing Sensitive Hives Via Reg Utility, Dumpert LSASS Process Dumper, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Lsass Access Through WinRM, Copying Browser Files With Credentials, Credential Dumping By LaZagne, HackTools Suspicious Names, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, NTDS.dit File Interaction Through Command Line, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, RedMimicry Winnti Playbook Dropped File, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Malicious Service Installations, Unsigned Image Loaded Into LSASS Process, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Password Dumper Activity On LSASS, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Active Directory Database Dump Via Ntdsutil, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag, Suspicious SAM Dump, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, Dynwrapx Module Loading, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Kerberos Pre-Auth Disabled in UAC, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Credential Dump Tools Related Files, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Active Directory User Backdoors, User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell EncodedCommand, Powershell Web Request, In-memory PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Suspicious XOR Encoded PowerShell Command Line, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, WMI Event Subscription, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Process Herpaderping, Svchost Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, Malicious Named Pipe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Windows Suspicious Service Creation, Winrshost Wrong Parent, Suspicious PsExec Execution, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Credential Dumping Tools Service Execution, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Metasploit PSExec Service Creation, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Windows Suspicious Service Creation, Winrshost Wrong Parent, Suspicious PsExec Execution, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Credential Dumping Tools Service Execution, Spoolsv Wrong Parent, Windows Update LolBins, Check Point Harmony Mobile Application Forbidden, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Metasploit PSExec Service Creation, Lsass Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, PowerView commandlets 1, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic, Ngrok Process Execution, Netsh Port Forwarding, SSH X11 Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Denied Access To Remote Desktop, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, MMC20 Lateral Movement, Smbexec.py Service Installation, Admin Share Access, RDP Port Change Using Powershell, Lsass Access Through WinRM, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Many Downloads From Several Binaries, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious LDAP-Attributes Used, Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups, Remote Privileged Group Enumeration"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Credentials Extraction, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Cisco Umbrella Threat Detected, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Detection of default Mimikatz banner, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, In-memory PowerShell, Microsoft Office Spawning Script, Suspicious Scripting In A WMI Consumer, Phorpiex DriveMgr Command, Socat Reverse Shell Detection, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, PowerShell Credential Prompt, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, WMI DLL Loaded Via Office, Suspicious Taskkill Command, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Windows Script Execution, Turla Named Pipes, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable Scheduled Tasks, Python Opening Ports, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Suspect Svchost Memory Access, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Clear EventLogs Through CommandLine, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Audit CVE Event, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Malicious Service Installations, Dumpert LSASS Process Dumper, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Active Directory Replication from Non Machine Account, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, DCSync Attack, Suspicious SAM Dump, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, LSASS Access From Non System Account, Credential Dumping Tools Service Execution, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Lsass Access Through WinRM, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, SAM Registry Hive Handle Request, Windows Credential Editor Registry Key, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Impacket Secretsdump.py Tool, Mimikatz Basic Commands, DPAPI Domain Backup Key Extraction, NTDS.dit File Interaction Through Command Line, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Copying Browser Files With Credentials, Unsigned Image Loaded Into LSASS Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Disable Workstation Lock, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, FlowCloud Malware, OceanLotus Registry Activity, DHCP Callout DLL Installation, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, Setuid Or Setgid Usage, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Dynwrapx Module Loading, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Copying Browser Files With Credentials, SAM Registry Hive Handle Request"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory User Backdoors, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, In-memory PowerShell, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, PowerShell Malicious PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, WMI Event Subscription, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Svchost Wrong Parent, Dynwrapx Module Loading, Taskhostw Wrong Parent, Process Herpaderping, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Malicious Named Pipe, Process Hollowing Detection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, StoneDrill Service Install, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, StoneDrill Service Install, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Csrss Wrong Parent, Windows Suspicious Service Creation, Smbexec.py Service Installation, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Check Point Harmony Mobile Application Forbidden, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Csrss Wrong Parent, Windows Suspicious Service Creation, Smbexec.py Service Installation, Csrss Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Remote Task Creation Via ATSVC Named Pipe, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Reconnaissance Commands Activities, Remote Privileged Group Enumeration, PowerView commandlets 1, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping By LaZagne, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Execution From Suspicious Folder, RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, SSH X11 Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Lsass Access Through WinRM, Protected Storage Service Access, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, Admin Share Access, Lateral Movement Remote Named Pipe, Denied Access To Remote Desktop"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, Suspicious Windows DNS Queries, Many Downloads From Several Binaries, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility, Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Remote File Copy, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
index 798627516d..a834e8dd15 100644
--- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index e491720a66..30322999e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index d3d22d714f..610eba7ca2 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, Suspicious Windows Script Execution, Login Brute-Force Successful On SentinelOne EDR Management Console, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Sticky Key Like Backdoor Usage, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
index 43efb68121..b68751dc07 100644
--- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Broadcom Edge Secure Web Gateway High Threat"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index dc34d9d082..00fe08a40f 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Adidnsdump Enumeration"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, WMI Fingerprint Commands, Discovery Commands Correlation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, QakBot Process Creation, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Credential Dump Tools Related Files, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Netsh Port Forwarding, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Credentials Extraction, XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 68c214437a..74558d21cc 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ISO LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
index 45b5df83d7..32563bd7f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ffff1fd-fed7-4a24-927a-d619f2bb584a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, QakBot Process Creation, Socat Relaying Socket, Suspicious Outlook Child Process, AutoIt3 Execution From Suspicious Folder, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ESET Protect Intrusion Detection, ZIP LNK Infection Chain, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, HTA Infection Chains, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Wmiprvse Wrong Parent, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, RTLO Character, Explorer Wrong Parent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Suspicious Outlook Child Process, ESET Protect Malware"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ESET Protect [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Spawning Script, Socat Reverse Shell Detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, QakBot Process Creation, Suspicious Outlook Child Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Spawning Script, ESET Protect Intrusion Detection, HTA Infection Chains, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, ISO LNK Infection Chain, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, ESET Protect Malware, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: ESET Protect Remote Action"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: ESET Protect Set Policy"}, {"techniqueID": "T1588.006", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: ESET Protect Vulnerability Exploitation Attempt"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index b8885e92e4..cb02bd2205 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
index f658f82957..6920340810 100644
--- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
index b9d90d4a92..882716f1f9 100644
--- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
index ce36e12289..0e2fe79005 100644
--- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index a09d51f8fd..0bb15ebf36 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Malicious PowerShell Keywords, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, FLTMC command usage, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, PowerView commandlets 1, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Port Change Using Powershell, MMC20 Lateral Movement"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Credentials Extraction, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, PowerShell NTFS Alternate Data Stream, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Credentials Extraction, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index 345ce77d4f..21d038501e 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, Sekoia.io EICAR Detection, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index 7470c78fe9..ef83f41613 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
index 7c32fe76a1..f5a0ae3632 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 976b1bbb53..2504b20008 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index fb25c7fb6e..535665e836 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Malicious PowerShell Keywords, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets, Linux Bash Reverse Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, FLTMC command usage, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Dumpert LSASS Process Dumper, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious Outlook Child Process, HTA Infection Chains, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, PowerView commandlets 1, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Port Change Using Powershell, MMC20 Lateral Movement"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Credentials Extraction, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, Suspicious DNS Child Process, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Dumpert LSASS Process Dumper, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Python HTTP Server, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, PowerShell NTFS Alternate Data Stream, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Dumpert LSASS Process Dumper, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Suspicious CommandLine Lsassy Pattern, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HTA Infection Chains, ISO LNK Infection Chain, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Credentials Extraction, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index d65f49fa43..fb0e84b8fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Disabled Service, SELinux Disabling"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Cleaned, Cobalt Strike Default Beacons Names, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 89aebdb9cf..caa36e1aaf 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index a3acdabdd2..8f70753f06 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
index 211e3a9257..773a105bc2 100644
--- a/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44d41a2b-96cb-4d37-84e0-4f0c0f9138b8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid High Severity Alert, Tenable Identity Exposure / Alsid Critical Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tenable Identity Exposure / Alsid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Tenable Identity Exposure / Alsid Critical Severity Alert, Tenable Identity Exposure / Alsid High Severity Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 96fb4669d6..495db69908 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default POST Beaconing, Potential LokiBot User-Agent, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index b33a79f7c1..2e6c0fede6 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cato Networks SASE High Risk Alert, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Cato Networks SASE High Risk Alert, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 3205be1152..bd817b1dfd 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
index 5962408d1e..0c36542076 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e14ac3-0b79-42d6-8630-da4fcdb8d5f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sesame it Jizo NDR [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, LokiBot Default C2 URL, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Alert High Severity Sesame it Jizo NDR, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index 290a085734..1e1d73cc31 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 3c2a90f3a6..2ea723f7f5 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
index 48a6e80af5..2853e13a18 100644
--- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
index 07df343f50..ea0a2346fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4d50ae7e-ccac-4a5b-9a4c-58a7893f93bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Load Balancing [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
index 71929fe380..1f5c58b9a9 100644
--- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 12f7ba4fd4..cd450d980c 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 72290d3ea6..2a61ec26e6 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Defender Antivirus Threat Detected, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, Fortinet FortiGate Firewall Login In Failure, RSA SecurID Failed Authentification, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Fortinet FortiGate Firewall Successful External Login"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Sliver DNS Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure, Fortinet FortiGate Firewall Successful External Login, RSA SecurID Failed Authentification, Login Brute-Force On Firewall"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login, Account Added To A Security Enabled Group, Login Brute-Force On Firewall"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
index b4e3b3b5fc..a7368cd3e1 100644
--- a/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_57eda191-2f93-4fd9-99a2-fd8ffbcdff50_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Bitsight SPM [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Bitsight SPM Moderate Vulnerability, Bitsight SPM Severe Vulnerability, Bitsight SPM Minor Vulnerability, Bitsight SPM Material Vulnerability"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
index d5a4fb5859..c4ded871a0 100644
--- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: Lacework Cloud Security Medium Severity Alert, Lacework Cloud Security High Severity Alert, Lacework Cloud Security Critical Severity Alert, Lacework Cloud Security Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
index 3a264baf1b..389644f6ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index 1999d9c7e1..ea0a434c61 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
index 384fc0acf5..f21ee43004 100644
--- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Exfiltration Via Pscp, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Svchost Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
index bc0a9b0832..ee3e2b404f 100644
--- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
index a450eec8cd..dd140037e9 100644
--- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
index 093c4bb3e0..e0c2baa17a 100644
--- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
index 8c527547b2..cca7ae9293 100644
--- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
index 8315800f5c..b506bf23b4 100644
--- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
index b13580ab75..44e920b9e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Koadic MSHTML Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
index 5d8b43681c..79c041ccc0 100644
--- a/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6967b0ca-f27e-480a-b124-fa4ab0b9d889_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Application Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index abfb9e2c8f..60e45f4b9d 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 67b528cbaf..b9e340c1f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, QakBot Process Creation, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
index 2172ef5e10..cc09715270 100644
--- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index f996579b86..b4061ce071 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
index 1640c88778..4672f4d41e 100644
--- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
index be86229595..1812b93542 100644
--- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
index 04c248d3ca..9f41912e6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
index cb4c024eab..40a816d181 100644
--- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
index 30f3c263ba..009498901c 100644
--- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
index 6f27ce8b2b..a95a0ad387 100644
--- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index 2876daabc4..fce92629e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
index 096ec48271..cb33e58349 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Cobalt Strike Default Beacons Names, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
index a016eb0eb2..fb831c0084 100644
--- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 4e34682eb7..de3c3fd1d4 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
index 885b78ed7e..4bf5dcb5ed 100644
--- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
index 693814045b..058c5d0bbd 100644
--- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
index f0a78bdd51..1bd7ee7926 100644
--- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 9a1da39ed1..837dc8aa3b 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
index fe0d03807d..6729d98e2b 100644
--- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
index 448b010180..04102d9192 100644
--- a/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_89346697-b64b-45d4-a456-72fd8a2be5d8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Thinkst Canary [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 03fa95bf30..eb4fa4a78c 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
index bd75ba8828..e2d120ffd0 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 9842732fbb..e7999600cb 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, TEHTRIS EDR Alert, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation, TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, TEHTRIS EDR Alert, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Malware Persistence Registry Key, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
index 39db81068c..d5a0937cef 100644
--- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
index 7ed63e7171..b5df0016a7 100644
--- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Login Brute-Force Successful On SentinelOne EDR Management Console, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Burp Suite Tool Detected, WAF Correlation Block Multiple Destinations, WAF Correlation Block actions"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, RSA SecurID Failed Authentification, Authentication Impossible Travel"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall, Authentication Impossible Travel"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, WAF Correlation Block Multiple Destinations, Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Authentication Impossible Travel, RSA SecurID Failed Authentification, Login Brute-Force On Firewall"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Authentication Impossible Travel, Account Added To A Security Enabled Group, Login Brute-Force On Firewall"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
index a219a3b791..5291218176 100644
--- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
index 23fa73874a..171d197975 100644
--- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index 61c5201e42..83b921bf95 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Critical Threat, HarfangLab EDR High Threat, HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Threat, HarfangLab EDR Hlai Engine Detection, Explorer Process Executing HTA File, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Threat, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, HTA Infection Chains, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, WMI DLL Loaded Via Office, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Malicious PowerShell Keywords, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Aspnet Compiler, Powershell Web Request, In-memory PowerShell, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Outlook Child Process, PowerShell Credential Prompt, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, PowerShell Download From URL, Suspicious Scripting In A WMI Consumer, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, Phorpiex DriveMgr Command, Detection of default Mimikatz banner, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, Alternate PowerShell Hosts Pipe, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Windows Suspicious Service Creation, Winrshost Wrong Parent, Suspicious PsExec Execution, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Credential Dumping Tools Service Execution, Spoolsv Wrong Parent, Windows Update LolBins, Check Point Harmony Mobile Application Forbidden, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Metasploit PSExec Service Creation, Lsass Wrong Parent"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, RSA SecurID Failed Authentification, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Python Opening Ports, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspect Svchost Memory Access, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Malware Protection Engine Crash, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Microsoft Malware Protection Engine Crash, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, DCSync Attack, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Transfering Files With Credential Data Via Network Shares, Grabbing Sensitive Hives Via Reg Utility, Dumpert LSASS Process Dumper, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Lsass Access Through WinRM, Copying Browser Files With Credentials, Credential Dumping By LaZagne, HackTools Suspicious Names, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, NTDS.dit File Interaction Through Command Line, Active Directory Replication from Non Machine Account, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, RedMimicry Winnti Playbook Dropped File, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Malicious Service Installations, Process Trace Alteration, Unsigned Image Loaded Into LSASS Process, DPAPI Domain Backup Key Extraction, Rubeus Tool Command-line, Password Dumper Activity On LSASS, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Active Directory Database Dump Via Ntdsutil, SAM Registry Hive Handle Request, Process Memory Dump Using Rdrleakdiag, Suspicious SAM Dump, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Ursnif Registry Key, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, NetNTLM Downgrade Attack, Suspicious New Printer Ports In Registry, Remote Registry Management Using Reg Utility, Disabling SmartScreen Via Registry"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, Dynwrapx Module Loading, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, Suspicious Kerberos Ticket, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Kerberos Pre-Auth Disabled in UAC, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, SAM Registry Hive Handle Request, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Credential Dump Tools Related Files, RedMimicry Winnti Playbook Dropped File, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Mimikatz Basic Commands, Enabling Restricted Admin Mode, Active Directory User Backdoors, Add User to Privileged Group, User Added to Local Administrators, Active Directory Replication User Backdoor, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Delegate To KRBTGT Service, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell EncodedCommand, Powershell Web Request, In-memory PowerShell, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Suspicious XOR Encoded PowerShell Command Line, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, WMI Event Subscription, Component Object Model Hijacking, Change Default File Association"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Dynwrapx Module Loading, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Process Herpaderping, Svchost Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, Malicious Named Pipe"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Windows Suspicious Service Creation, Winrshost Wrong Parent, Suspicious PsExec Execution, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Credential Dumping Tools Service Execution, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Metasploit PSExec Service Creation, Lsass Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, PowerView commandlets 1, Active Directory Data Export Using Csvde, Reconnaissance Commands Activities, Remote Enumeration Of Lateral Movement Groups, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1, Netscan Share Access Artefact"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, Dumpert LSASS Process Dumper, Password Dumper Activity On LSASS, LSASS Memory Dump, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Denied Access To Remote Desktop, MMC Spawning Windows Shell, Lateral Movement Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, MMC20 Lateral Movement, Smbexec.py Service Installation, Admin Share Access, RDP Port Change Using Powershell, Lsass Access Through WinRM, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Impacket Addcomputer, Suspicious URL Requested By Curl Or Wget Commands, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Python HTTP Server, Chafer (APT 39) Activity, Koadic MSHTML Command, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Suspicious LDAP-Attributes Used, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Enumeration Of Lateral Movement Groups, Remote Privileged Group Enumeration"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, Exploiting SetupComplete.cmd CVE-2019-1378, Svchost DLL Search Order Hijack, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Credentials Extraction, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Credentials Extraction, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Microsoft Windows Active Directory Module Commandlets"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, Correlation Internal Kerberos Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, DCSync Attack, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Outlook Child Process, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Python HTTP Server, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Suspicious Certificate Request-adcs Abuse"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious Hostname, Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Low Threat, HarfangLab EDR Medium Level Rule Detection, ZIP LNK Infection Chain, IcedID Execution Using Excel, HTA Infection Chains, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, HarfangLab EDR Hlai Engine Detection, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR High Threat, Winword Document Droppers, HarfangLab EDR High Level Rule Detection, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Medium Threat, ISO LNK Infection Chain, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Login Brute-Force Successful On SentinelOne EDR Management Console, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Detection of default Mimikatz banner, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, In-memory PowerShell, Microsoft Office Spawning Script, Suspicious Scripting In A WMI Consumer, Phorpiex DriveMgr Command, Socat Reverse Shell Detection, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, PowerShell Credential Prompt, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, WMI DLL Loaded Via Office, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, PowerShell NTFS Alternate Data Stream, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Windows Script Execution, Login Brute-Force Successful On SentinelOne EDR Management Console, Turla Named Pipes, Lazarus Loaders, Mustang Panda Dropper, Sysprep On AppData Folder, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Check Point Harmony Mobile Application Forbidden, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Csrss Wrong Parent, Windows Suspicious Service Creation, Smbexec.py Service Installation, Csrss Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Login Brute-Force Successful On SentinelOne EDR Management Console, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying, RSA SecurID Failed Authentification"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack, EvilProxy Phishing Domain"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel, Microsoft Office Startup Add-In"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable Scheduled Tasks, Python Opening Ports, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, Suspect Svchost Memory Access, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, Secure Deletion With SDelete, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Suspicious New Printer Ports In Registry, Audit CVE Event, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Malware Protection Engine Crash, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Malicious Service Installations, Dumpert LSASS Process Dumper, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Active Directory Replication from Non Machine Account, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Transfering Files With Credential Data Via Network Shares, DCSync Attack, Suspicious SAM Dump, Process Trace Alteration, Mimikatz LSASS Memory Access, Password Dumper Activity On LSASS, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, LSASS Access From Non System Account, Credential Dumping Tools Service Execution, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Lsass Access Through WinRM, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, SAM Registry Hive Handle Request, Windows Credential Editor Registry Key, Credential Dumping By LaZagne, Load Of dbghelp/dbgcore DLL From Suspicious Process, Impacket Secretsdump.py Tool, Mimikatz Basic Commands, DPAPI Domain Backup Key Extraction, NTDS.dit File Interaction Through Command Line, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Copying Browser Files With Credentials, Unsigned Image Loaded Into LSASS Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Disable Workstation Lock, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, NetNTLM Downgrade Attack, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, Disable .NET ETW Through COMPlus_ETWEnabled, DNS ServerLevelPluginDll Installation, FlowCloud Malware, OceanLotus Registry Activity, DHCP Callout DLL Installation, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Dynwrapx Module Loading, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Kerberos Ticket, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Kerberos Pre-Auth Disabled in UAC, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious TGS requests (Kerberoasting)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Copying Browser Files With Credentials, SAM Registry Hive Handle Request"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Add User to Privileged Group, Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory User Backdoors, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Detection of default Mimikatz banner, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, In-memory PowerShell, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Alternate PowerShell Hosts Pipe, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, PowerShell Malicious PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, WMI Event Subscription, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Svchost Wrong Parent, Dynwrapx Module Loading, Taskhostw Wrong Parent, Process Herpaderping, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Malicious Named Pipe, Process Hollowing Detection, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, StoneDrill Service Install, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, APT29 Fake Google Update Service Install, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, StoneDrill Service Install, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Cobalt Strike Default Service Creation Usage, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Suspicious PsExec Execution, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Credential Dumping Tools Service Execution, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Csrss Wrong Parent, Windows Suspicious Service Creation, Smbexec.py Service Installation, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Remote Task Creation Via ATSVC Named Pipe, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Windows Suspicious Scheduled Task Creation"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Reconnaissance Commands Activities, Remote Privileged Group Enumeration, PowerView commandlets 1, AD User Enumeration"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Netscan Share Access Artefact, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping By LaZagne, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes, LSASS Memory Dump, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Execution From Suspicious Folder, RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement Remote Named Pipe"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage, Smbexec.py Service Installation, Lsass Access Through WinRM, Protected Storage Service Access, RDP Login From Localhost, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, Admin Share Access, Lateral Movement Remote Named Pipe, Denied Access To Remote Desktop"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Suspicious URL Requested By Curl Or Wget Commands, Impacket Addcomputer"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Chafer (APT 39) Activity, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Credential Dump Tools Related Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Enumeration Of Lateral Movement Groups, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Denied Access To Remote Desktop, RDP Login From Localhost"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credentials Extraction, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility, Credentials Extraction, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Microsoft Windows Active Directory Module Commandlets, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Kerberos Password Spraying, Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Python HTTP Server, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility, Putty Sessions Listing"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1649", "score": 100, "comment": "Rules: Suspicious Certificate Request-adcs Abuse, Suspicious Kerberos Ticket"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, Suspicious TOR Gateway, Netsh Port Forwarding, Suspicious Hostname, TOR Usage Generic Rule"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
index 6ea61b8412..67efd3aa6d 100644
--- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 990dd8632b..1c493e7155 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 032a7635bc..7462b660fb 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, HTA Infection Chains, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, ISO LNK Infection Chain, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Correlation Potential DNS Tunnel, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Svchost Modification, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Lsass Child Found, SolarWinds Wrong Child Process, Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Lsass Child Found, SolarWinds Wrong Child Process, Exfiltration Via Pscp, Csrss Child Found, OneNote Suspicious Children Process, Windows Update LolBins, Searchprotocolhost Child Found, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Suspicious DNS Child Process, SolarWinds Suspicious File Creation, Winword wrong parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Lsass Child Found, SolarWinds Wrong Child Process, Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Lsass Child Found, SolarWinds Wrong Child Process, Csrss Child Found, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Svchost Modification, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, HTA Infection Chains, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, ISO LNK Infection Chain"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Malware Persistence Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Csrss Child Found, Rare Logonui Child Found, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Searchprotocolhost Child Found, PsExec Process, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Taskhost or Taskhostw Suspicious Child Found, Windows Update LolBins, Usage Of Procdump With Common Arguments, Csrss Child Found, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Rare Lsass Child Found, Searchprotocolhost Child Found, PsExec Process, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, Csrss Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, OneNote Suspicious Children Process, Rare Logonui Child Found, Csrss Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Searchprotocolhost Child Found, Explorer Wrong Parent, Winword wrong parent, New Service Creation"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Svchost Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
index 1753b2a845..b472035de9 100644
--- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Malspam Execution Registering Malicious DLL, HTA Infection Chains, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HTA Infection Chains, Explorer Process Executing HTA File, ISO LNK Infection Chain, Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable Workstation Lock, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, Dynamic DNS Contacted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
index bb8ca88b62..d903d62aa5 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Claroty xDome Network Threat Detection Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Claroty xDome Network Threat Detection Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index 9df8e28fa5..f5989ae27b 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, Cybereason EDR Alert, Cybereason EDR Malware Detection, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cybereason EDR Malware Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation, Cybereason EDR Malware Detection"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Cybereason EDR Malware Detection, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Cybereason EDR Malware Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Cybereason EDR Alert, Cybereason EDR Malware Detection, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
index 1a54eb9c11..0d3ec1e6d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index ac71840ec6..e5eefe68ad 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
index 0c6676b697..b1c92a879f 100644
--- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Login Brute-Force Successful On SentinelOne EDR Management Console, Phorpiex DriveMgr Command, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Lazarus Loaders, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Login Brute-Force On Firewall, RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass Via Sdclt"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, Equation Group DLL_U Load, Control Panel Items, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Suspicious Windows Installer Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Powershell Web Request, WMImplant Hack Tool, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, FromBase64String Command Line, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, NjRat Registry Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts, Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Login Brute-Force On Firewall"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Python HTTP Server, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Correlation Potential DNS Tunnel, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, WMI Fingerprint Commands, Discovery Commands Correlation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Python HTTP Server, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, QakBot Process Creation, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Generic, Login Brute-Force Successful On SentinelOne EDR Management Console, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Login Brute-Force Successful On SentinelOne EDR Management Console, Usage Of Sysinternals Tools"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Login Brute-Force On Firewall"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Clear EventLogs Through CommandLine, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Reconnaissance Commands Activities, Change Default File Association, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt, Reconnaissance Commands Activities"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, Control Panel Items, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Equation Group DLL_U Load, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Invoke Expression With Registry, Invoke-TheHash Commandlets, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Bloodhound and Sharphound Tools Usage, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious PowerShell Keywords, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Microsoft Defender Antivirus Disable Using Registry, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, QakBot Process Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, ACLight Discovering Privileged Accounts, Internet Scanner"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Login Brute-Force On Firewall"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Equation Group DLL_U Load"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Container Credential Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index af88e48095..895709e62f 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 6711380ac6..02472e43df 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Workstation, Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
index 2a7b1edbcf..8fda95802b 100644
--- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, LokiBot Default C2 URL, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index 243c2f99b1..eef5158687 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
index 8b3db65d66..2a2b621290 100644
--- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
index 087c9a8103..0778b93107 100644
--- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius, RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication, Login Brute-Force On FreeRadius, RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Login Brute-Force On FreeRadius"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
index a4c9c7bc48..6628a37b45 100644
--- a/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b1545bb3-6f55-4ba4-ac80-d649040a127c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Juniper Networks Switches [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
index ca2aaae20f..18abf2d55d 100644
--- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Dumpert LSASS Process Dumper"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index b55bedae35..424bafaceb 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One High Intrusion, SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Cloud One Low Intrusion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet, Adidnsdump Enumeration"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues, Trend Micro Cloud One Medium Intrusion, Trend Micro Cloud One Low Intrusion, Trend Micro Cloud One High Intrusion"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, HTA Infection Chains, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 9ee6eb866d..902ac24f23 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage, Socat Relaying Socket"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Sekoia.io EICAR Detection, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
index 152eac16df..28f1ea07a4 100644
--- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Trellix Network Security Threat Notified, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Trellix Network Security Threat Blocked"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Trellix Network Security Threat Notified, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Trellix Network Security Threat Blocked"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index ef3dcd8432..133f6e2fbc 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Gatewatcher AionIQ Malware Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Gatewatcher AionIQ Malware Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index d8c9f66eac..e434a5eb26 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
index b2d6c57075..149fe10ee7 100644
--- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 6fde3a2ba4..33956440f7 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Sysmon Windows File Block Executable, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Malicious PowerShell Keywords, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Aspnet Compiler, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner, WAF Correlation Block actions"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Package Manager Alteration, FLTMC command usage, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Cookies Deletion, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, SELinux Disabling, Package Manager Alteration, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded, Disabled Service"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Copying Browser Files With Credentials, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Malicious Service Installations, Process Trace Alteration, Rubeus Tool Command-line, Wdigest Enable UseLogonCredential, Credential Dump Tools Related Files, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, RDP Port Change Using Powershell, Chafer (APT 39) Activity, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell NTFS Alternate Data Stream, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Credential Prompt, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, PowerShell Malicious PowerShell Commandlets"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, Chafer (APT 39) Activity, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Smbexec.py Service Installation, Winrshost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wininit Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, SolarWinds Suspicious File Creation, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, Malicious Service Installations, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Enabling Restricted Admin Mode, Add User to Privileged Group, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Cron Files Alteration, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding, Potential DNS Tunnel"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity, Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Suspicious desktop.ini Action, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Login From Localhost, Smbexec.py Service Installation, MMC20 Lateral Movement, RDP Port Change Using Powershell"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, CVE-2021-4034 Polkit's pkexec, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Interactive Terminal Spawned via Python, Suspicious Outlook Child Process, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Aspnet Compiler, PowerShell Downgrade Attack, Linux Bash Reverse Shell, PowerShell NTFS Alternate Data Stream, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Jumpcloud Portal"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, WAF Correlation Block actions, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying, RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Package Manager Alteration, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, Cookies Deletion, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, Package Manager Alteration, SELinux Disabling, Disabled Service, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Malicious Service Installations, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, HackTools Suspicious Names, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, NetNTLM Downgrade Attack, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Mimikatz Basic Commands, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Chafer (APT 39) Activity, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Credential Prompt, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, PowerShell NTFS Alternate Data Stream, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Malicious PowerShell Keywords, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Sticky Key Like Backdoor Usage, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Wininit Wrong Parent, New Service Creation, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Userinit Wrong Parent, Winrshost Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Wininit Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Winrshost Wrong Parent, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, SolarWinds Suspicious File Creation, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Add User to Privileged Group, Mimikatz Basic Commands, SSH Authorized Key Alteration, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Chafer (APT 39) Activity, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1187", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Correlation Suspicious Authentication Coercer Behavior, EvilProxy Phishing Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Impacket Wmiexec Module, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Linux Suspicious Nohup Exec, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, MMC20 Lateral Movement, Smbexec.py Service Installation, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Exfiltration Domain, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, CVE-2021-4034 Polkit's pkexec, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1110.003", "score": 100, "comment": "Rules: Correlation Internal Ntlm Password Spraying"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
index 7bbcd50df8..f5cfc7aa41 100644
--- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
index 8218d7b0f1..5eea15fc65 100644
--- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Fastly Next-Gen WAF Audit Threat Alert"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
index 922f6e34c7..bd6168f4e8 100644
--- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index c6a937e549..be9d18b557 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) AtpDetection, ZIP LNK Infection Chain, Microsoft 365 (Office 365) MCAS Risky IP, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Repeated Failed Login, HTA Infection Chains, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Inbox Hiding, Suspicious Email Attachment Received, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) AtpDetection, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA), Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Aspnet Compiler, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Download Links From Legitimate Services, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain, Download Files From Suspicious TLDs"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Safelinks Disabled, HTA Infection Chains, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, ISO LNK Infection Chain, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Policy Removed, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Email Attachment Received"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses, Microsoft 365 Sign-in With No User Agent, Entra ID Sign-In Via Known AiTM Phishing Kit (RED0046), Entra ID Sign-In Via Known AiTM Phishing Kit (Tycoon 2FA)"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Aspnet Compiler"}, {"techniqueID": "T1114.002", "score": 100, "comment": "Rules: Entra ID Consent Attempt to Suspicious OAuth Application"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Download Links From Legitimate Services, Microsoft Defender for Office 365 High Severity AIR Alert, Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Microsoft 365 Authenticated Activity From Tor IP Address, TOR Usage Generic Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification, Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification, Domain Trust Created Or Removed"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Download Files From Non-Legitimate TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: ACLight Discovering Privileged Accounts"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index 1eed5c9adf..f9081929ff 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
index caee972b6d..08abda7530 100644
--- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
index 036e654305..bb323d609a 100644
--- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 80c531d90e..e64e077d2d 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index d4eaa1620e..1b9fd29da1 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed, Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Disable MFA, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Important Change, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Important Change, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Enable Serial Console Access, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup, User Account Created"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Disable MFA, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Important Change, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail S3 Bucket Replication, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail S3 Bucket Replication"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, Backup Catalog Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1580", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1619", "score": 100, "comment": "Rules: AWS Suspicious Discovery Commands"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM UpdateSAMLProvider"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 Enable Serial Console Access"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1537", "score": 100, "comment": "Rules: AWS CloudTrail EC2 VM Export Failure"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, AWS Persistence By Creating KeyPair And SecurityGroup"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
index 9f1c94fd77..86e28a667f 100644
--- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
index d40474e0f4..37d7524412 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
index c995f293ae..f87bf33abb 100644
--- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
index a64323572c..6eba5795ae 100644
--- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index 1a1b2f1ec8..58dd410503 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, WAF Block Rule, WAF Correlation Block actions"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: WAF Correlation Block actions, WAF Block Rule, Burp Suite Tool Detected"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index a5f6347c2b..f69c41aaf3 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Zscaler ZIA Malicious Threat, ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Zscaler ZIA Suspicious Threat"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential LokiBot User-Agent, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, LokiBot Default C2 URL, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, HTA Infection Chains, Zscaler ZIA Malicious Threat, ISO LNK Infection Chain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Zscaler ZIA Suspicious Threat, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Zscaler ZIA Malicious Threat, ISO LNK Infection Chain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Cobalt Strike HTTP Default POST Beaconing, Covenant Default HTTP Beaconing, Potential Bazar Loader User-Agents, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Suspicious URL Requested By Curl Or Wget Commands"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
index 5e4d671514..28d60a6165 100644
--- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index db215a2f18..bf0ab4926a 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, ISO LNK Infection Chain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index ea052689ad..00f53bb276 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index c3080a9e0f..40f18f8692 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (W2 Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Phishing Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, SEKOIA.IO Intelligence Feed, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 2b79220cf5..51866d1437 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application deleted, Okta User Impersonation Access, Okta User Account Deactivated, Okta Application modified, Okta Admin Privilege Granted"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta MFA Disabled"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In Multiple Applications, Okta User Logged In From Multiple Countries"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported, Okta Many Passwords Reset Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta Application modified, Okta User Account Deactivated, Okta Application deleted, Okta User Impersonation Access"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Login Brute-Force Successful On Okta, Okta MFA Brute-Force Successful"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta MFA Disabled, Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta Blacklist Manipulations, Okta Network Zone Deactivated, Okta Network Zone Modified"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Okta User Logged In From Multiple Countries, Okta User Logged In Multiple Applications"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App, Okta Many Passwords Reset Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index ea5df3a7a7..9a86430181 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Python Offensive Tools and Packages, Powershell Web Request, Malspam Execution Registering Malicious DLL, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, PowerShell Commands Invocation, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, Interactive Terminal Spawned via Python, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious File Name, Linux Bash Reverse Shell"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Suspicious CommandLine Lsassy Pattern, Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, WMI Install Of Binary, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Opening, SELinux Disabling, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Njrat Registry Values, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, New Service Creation"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Credential Dump Tools Related Files"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Suspicious File Name, Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Socat Relaying Socket, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, Mustang Panda Dropper, Lazarus Loaders, Sysprep On AppData Folder, PowerShell Download From URL"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, WCE wceaux.dll Creation, Credential Dump Tools Related Files, Process Trace Alteration, Mimikatz Basic Commands, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dump Tools Related Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Windows Firewall Changes, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, SELinux Disabling, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Blue Mockingbird Malware, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation, Suspicious Desktopimgdownldr Execution, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery, Openfiles Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, AdFind Usage, NlTest Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Install Of Binary, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, SELinux Disabling, Disabled Service, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Malware Persistence Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, OneNote Suspicious Children Process, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Usage Of Sysinternals Tools, PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: CVE-2021-4034 Polkit's pkexec, Certify Or Certipy"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
index 4164425e9a..d35438bbb0 100644
--- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Correlation Potential DNS Tunnel, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Login Brute-Force Successful On SentinelOne EDR Management Console, Suspicious File Name"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Login Brute-Force Successful On SentinelOne EDR Management Console"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 499bbf963a..76c79a5e79 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
index 655b4d6c20..f98ceff608 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
index 893cd7f926..1ef292d0c4 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
index 38f25ceeea..9d56b3c2c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index 62a1cd9244..63fb079a4e 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index c8e365454c..3c43c29da8 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Entra ID Sign-In Via Known AiTM Phishing Kit"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, HackTools Suspicious Names, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Entra ID Sign-In Via Known AiTM Phishing Kit, EvilProxy Phishing Domain"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Suspicious File Name"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, HackTools Suspicious Names, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index ea0ea1f589..a25ccb4a05 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Stormshield Ses Critical Not Block, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, Sysmon Windows File Block Executable, Stormshield Ses Emergency Block, Microsoft Office Product Spawning Windows Shell, Stormshield Ses Critical Block, Explorer Process Executing HTA File, ZIP LNK Infection Chain, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Microsoft Office Spawning Script, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, HTA Infection Chains, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Venom Multi-hop Proxy agent detection, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, Generic-reverse-shell-oneliner, WMImplant Hack Tool, Suspicious PowerShell Keywords, Trickbot Malware Activity, PowerShell Downgrade Attack, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, PowerShell EncodedCommand, QakBot Process Creation, Socat Relaying Socket, Sysprep On AppData Folder, Powershell Web Request, Malspam Execution Registering Malicious DLL, Suspicious Outlook Child Process, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage, Suspicious Cmd.exe Command Line, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, PowerShell Commands Invocation, Microsoft Office Spawning Script, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, XSL Script Processing And SquiblyTwo Attack, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Suspicious VBS Execution Parameter, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Elise Backdoor, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Linux Bash Reverse Shell"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Tampering Detected, Disable .NET ETW Through COMPlus_ETWEnabled, FLTMC command usage, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, ETW Tampering, Powershell AMSI Bypass, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Windows Firewall Changes, Microsoft Defender Antivirus Disable Using Registry, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Netsh Allowed Python Program, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Microsoft Defender Antivirus Tampering Detected, Clear EventLogs Through CommandLine, Erase Shell History, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, FLTMC command usage, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Exclusion Configuration, Netsh RDP Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, MalwareBytes Uninstallation, Raccine Uninstall, Disable Windows Defender Credential Guard, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Disable Services, AMSI Deactivation Using Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetNTLM Downgrade Attack, Dism Disabling Windows Defender, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Driver Loaded"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Mimikatz Basic Commands, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, NTDS.dit File Interaction Through Command Line, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Copying Sensitive Files With Credential Data, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Windows Credential Editor Registry Key"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Suspicious Desktopimgdownldr Execution, Disable Workstation Lock, DHCP Callout DLL Installation, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Disabling SmartScreen Via Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Shell PID Injection, COM Hijack Via Sdclt, CMSTP UAC Bypass via COM Object Access, HTML Smuggling Suspicious Usage, Reconnaissance Commands Activities, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, xWizard Execution, Suspicious Regsvr32 Execution, Malspam Execution Registering Malicious DLL, MavInject Process Injection, PowerShell Execution Via Rundll32, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, MOFComp Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, CMSTP Execution, SquirrelWaffle Malspam Execution Loading DLL, Control Panel Items, Suspicious Control Process, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious VBS Execution Parameter, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Powershell Web Request, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Taskkill Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Download From URL, Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Generic, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, COM Hijack Via Sdclt, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, HTML Smuggling Suspicious Usage, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Reconnaissance Commands Activities, Change Default File Association, Component Object Model Hijacking"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Shadow Copies, System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, New Service Creation, Taskhost Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Wsmprovhost Wrong Parent, SolarWinds Wrong Child Process, Spoolsv Wrong Parent, Windows Update LolBins, Winlogon wrong parent, Svchost Wrong Parent, PsExec Process, Winword wrong parent, Taskhostw Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Csrss Wrong Parent, Rare Lsass Child Found, Smss Wrong Parent, OneNote Suspicious Children Process, Searchprotocolhost Child Found, Gpscript Suspicious Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Taskhost Wrong Parent, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Wmiprvse Wrong Parent, Logonui Wrong Parent, Csrss Child Found, Microsoft Defender Antivirus Threat Detected, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Userinit Wrong Parent, Lsass Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, Enabling Restricted Admin Mode"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Openfiles Usage, Network Scanning and Discovery, Shell PID Injection, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Shell PID Injection, Discovery Commands Correlation, Active Directory Data Export Using Csvde, PowerView commandlets 1, Reconnaissance Commands Activities, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd.exe Command Line, Explorer Wrong Parent"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Correlation Multi Service Disable"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Process Call Creation, WMIC Uninstall Product, Impacket Wmiexec Module, WMImplant Hack Tool, WMI Install Of Binary, WMI Fingerprint Commands, Invoke-TheHash Commandlets, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Cryptomining"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Download Files From Suspicious TLDs, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, DLL Load via LSASS Registry Key, Svchost Modification, Njrat Registry Values, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Gpresult Usage, Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Leviathan Registry Key Activity, Autorun Keys Modification, Svchost Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands, Reconnaissance Commands Activities, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration, ACLight Discovering Privileged Accounts, Remote System Discovery Via Telnet"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Lazarus Loaders, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Phorpiex DriveMgr Command, Mustang Panda Dropper"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Opening Of a Password File, Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access, Adexplorer Usage, Linux Suspicious Search, Opening Of a Password File, Container Credential Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Suspicious Outlook Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup, Wmic Suspicious Commands"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Shell PID Injection"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, TOR Usage, Suspicious TOR Gateway"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Stormshield Ses Emergency Block, IcedID Execution Using Excel, HTA Infection Chains, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, Exploit For CVE-2015-1641, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, Winword Document Droppers, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Stormshield Ses Critical Block, SquirrelWaffle Malspam Execution Loading DLL, Stormshield Ses Critical Not Block, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, PowerShell Commands Invocation, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Venom Multi-hop Proxy agent detection, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Suspicious PowerShell Invocations - Specific, Suspicious VBS Execution Parameter, Microsoft Defender Antivirus Threat Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Socat Reverse Shell Detection, Phorpiex DriveMgr Command, Invoke-TheHash Commandlets, Malspam Execution Registering Malicious DLL, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Sekoia.io EICAR Detection, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, AutoIt3 Execution From Suspicious Folder, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, Generic-reverse-shell-oneliner, QakBot Process Creation, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, Trickbot Malware Activity, Suspicious Windows Script Execution, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Sysprep On AppData Folder, Suspicious Outlook Child Process, PowerShell Download From URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Windows Firewall Changes, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, FLTMC command usage, Netsh Allow Command, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Clear EventLogs Through CommandLine, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Deleted, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, FLTMC command usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Opening, Disabled IE Security Features, Netsh Port Forwarding, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Dism Disabling Windows Defender, AMSI Deactivation Using Registry Key, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable Services, Address Space Layout Randomization (ASLR) Alteration, Fail2ban Unban IP, Raccine Uninstall, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Suspicious PROCEXP152.sys File Created In Tmp, Disable Task Manager Through Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Trace Alteration, Mimikatz Basic Commands, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Names, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, Copying Browser Files With Credentials"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Disable Workstation Lock, NetNTLM Downgrade Attack, Blue Mockingbird Malware, FlowCloud Malware, Wdigest Enable UseLogonCredential, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Suspicious Desktopimgdownldr Execution, Disabling SmartScreen Via Registry, DHCP Callout DLL Installation, Disable .NET ETW Through COMPlus_ETWEnabled, Ursnif Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, Reconnaissance Commands Activities, Shell PID Injection, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Control Process, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Regasm Regsvcs Usage, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, xWizard Execution, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, Suspicious Desktopimgdownldr Execution, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious DLL Loading By Ordinal, Suspicious Regsvr32 Execution, CMSTP UAC Bypass via COM Object Access, CMSTP Execution, Explorer Process Executing HTA File, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Microsoft Office Spawning Script, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke Expression With Registry, Bloodhound and Sharphound Tools Usage, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Keywords, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, WMImplant Hack Tool, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, PowerShell Download From URL"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Component Object Model Hijacking, Sticky Key Like Backdoor Usage, Reconnaissance Commands Activities, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key, COM Hijack Via Sdclt, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, WMI Fingerprint Commands, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, Shadow Copies, System Info Discovery"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Svchost Wrong Parent, Taskhostw Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Spoolsv Wrong Parent, New Service Creation, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Explorer Wrong Parent, Winword wrong parent, OneNote Suspicious Children Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Userinit Wrong Parent, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, PsExec Process, Spoolsv Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Exfiltration Via Pscp, Windows Update LolBins, Gpscript Suspicious Parent, SolarWinds Wrong Child Process, Smss Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, OneNote Suspicious Children Process, Suspicious DNS Child Process, Dllhost Wrong Parent, Svchost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Lsass Wrong Parent, Winlogon wrong parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Wrong Parent, Csrss Child Found, Usage Of Sysinternals Tools, Wmiprvse Wrong Parent, Logonui Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Netsh Allow Command, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Port Opening, Netsh Port Forwarding"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, Openfiles Usage, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Reconnaissance Commands Activities, Shell PID Injection, PowerView commandlets 1"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 2, NlTest Usage, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Correlation Multi Service Disable, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMI Fingerprint Commands, WMI Install Of Binary, Impacket Wmiexec Module, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Process Call Creation, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Cryptomining, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Download Files From Suspicious TLDs, ISO LNK Infection Chain"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Svchost Modification, Njrat Registry Values, Autorun Keys Modification, Kernel Module Alteration, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1529", "score": 100, "comment": "Rules: Rebooting"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, FromBase64String Command Line, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration, Permission Discovery Via Wmic, Gpresult Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, IcedID Execution Using Excel"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Autorun Keys Modification, Malware Persistence Registry Key"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Credential Harvesting Via Vaultcmd.exe, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Suspicious Headless Web Browser Execution To Download File, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Reconnaissance Commands Activities, Cmd.exe Used To Run Reconnaissance Commands, Discovery Commands Correlation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: System Network Connections Discovery, Remote System Discovery Via Telnet, ACLight Discovering Privileged Accounts, Internet Scanner Target, Internet Scanner, Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Phorpiex DriveMgr Command, Malspam Execution Registering Malicious DLL, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Mustang Panda Dropper, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, Opening Of a Password File, Linux Suspicious Search, XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line, Exfiltration Domain"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Permission Discovery Via Wmic"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Outlook Child Process"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: Wmic Suspicious Commands, DNS Query For Iplookup"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule, TOR Usage, Netsh Port Forwarding"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Shell PID Injection, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1131", "score": 100, "comment": "Rules: Shell PID Injection"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage, TOR Usage Generic Rule"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target, Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
index 33f86990bc..3920810ed2 100644
--- a/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f95fea50-533c-4897-9272-2f8361e63644_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cobalt Strike DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x EfficientIP SOLIDServer DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Dynamic DNS Contacted, Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Correlation Potential DNS Tunnel, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner, Internet Scanner Target"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: EfficientIP SOLIDServer Suspicious Behavior"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
index 38da87a849..5595e8ab1d 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc03f783-5039-415e-915a-a4b010d9a872_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Socat Relaying Socket, Aspnet Compiler, Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Suspicious File Name"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, Microsoft Office Creating Suspicious File, HTA Infection Chains, ISO LNK Infection Chain, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: HackTools Suspicious Names, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Credential Dump Tools Related Files"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Active Directory Data Export Using Csvde, Discovery Commands Correlation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Discovery Commands Correlation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM iSeries [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Socat Reverse Shell Detection, Suspicious File Name, Socat Relaying Socket, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: RSA SecurID Failed Authentification"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: SecurityScorecard Vulnerability Assessment Scanner New Issues"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, ISO LNK Infection Chain"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: ZIP LNK Infection Chain, HTA Infection Chains, ISO LNK Infection Chain"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, OneNote Suspicious Children Process"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs, PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Information Stealer Downloading Legitimate Third-Party DLLs"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, Process Trace Alteration, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration, Suspicious PROCEXP152.sys File Created In Tmp"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Cookies Deletion"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Credential Dump Tools Related Files, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Discovery Commands Correlation, Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Discovery Commands Correlation, System Info Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Discovery Commands Correlation"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: HTML Smuggling Suspicious Usage"}, {"techniqueID": "T1592", "score": 100, "comment": "Rules: DNS Query For Iplookup"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dump Tools Related Files"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
index 5e7d255ae0..205f5ef676 100644
--- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
index 2806d64c06..3cc2056be2 100644
--- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Dynamic DNS Contacted, Cobalt Strike HTTP Default POST Beaconing, Correlation Potential DNS Tunnel, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Cryptomining, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-41773 Apache 2.4.49 Path Traversal, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-0604 SharePoint"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Correlation Potential DNS Tunnel, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Koadic MSHTML Command, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Correlation Potential DNS Tunnel, Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 78bb756ddd..5eceb1cabc 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -3062,6 +3062,7 @@ Rules catalog includes **944 built-in detection rules** ([_last update on 2024-0
     
     - **Changelog:**
     
+        - 16/09/2024 - minor - File paths added to filter some false positives.
         - 18/09/2023 - minor - File paths added to filter some false positives.
         - 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe
             
diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
index 7ec73f3c8b..9d5befcdfc 100644
--- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md
+++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md
@@ -231,6 +231,7 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Netsh Program Allowed With Suspicious Location | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Remote Privileged Group Enumeration | advanced | 4799 | Microsoft-Windows-Security-Auditing |
 | FLTMC command usage | advanced | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
+| ISO LNK Infection Chain | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span>, <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>11</a></span> | Kernel-Process, Microsoft-Windows-Kernel-File |
 | Netsh RDP Port Opening | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Powershell UploadString Function | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>1</a></span> | Microsoft-Windows-Sysmon |
 | Suspicious Windows Script Execution | intermediate | <span style="color:#5865d3"><a href='https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events' style='color: inherit;'>5</a></span> | Kernel-Process |
@@ -495,24 +496,24 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Antivirus Web Shell Detection | elementary | <span style="color:#6a18a0"><a href='https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide' style='color: inherit;'>1116</a></span> | Microsoft-Windows-Windows Defender |
 
 ## EventIDs occurences in rules
-| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 481) |
+| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 482) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| 1 | 228 | 47.4 % |
-| 13 | 47 | 9.77 % |
-| 4104 | 43 | 8.94 % |
-| 5 | 21 | 4.37 % |
-| 11 | 20 | 4.16 % |
-| 7 | 15 | 3.12 % |
+| 1 | 228 | 47.3 % |
+| 13 | 47 | 9.75 % |
+| 4104 | 43 | 8.92 % |
+| 5 | 22 | 4.56 % |
+| 11 | 21 | 4.36 % |
+| 7 | 15 | 3.11 % |
 | 15 | 13 | 2.7 % |
 | 5145 | 12 | 2.49 % |
-| 7045 | 11 | 2.29 % |
+| 7045 | 11 | 2.28 % |
 | 4688 | 8 | 1.66 % |
-| 17 | 6 | 1.25 % |
-| 5136 | 6 | 1.25 % |
-| 10 | 6 | 1.25 % |
-| 3 | 6 | 1.25 % |
-| 4624 | 6 | 1.25 % |
-| 98 | 6 | 1.25 % |
+| 17 | 6 | 1.24 % |
+| 5136 | 6 | 1.24 % |
+| 10 | 6 | 1.24 % |
+| 3 | 6 | 1.24 % |
+| 4624 | 6 | 1.24 % |
+| 98 | 6 | 1.24 % |
 | 22 | 5 | 1.04 % |
 | 4662 | 5 | 1.04 % |
 | 1116 | 5 | 1.04 % |
@@ -524,14 +525,14 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 4663 | 4 | 0.83 % |
 | 4720 | 3 | 0.62 % |
 | 4103 | 3 | 0.62 % |
-| 12 | 2 | 0.42 % |
-| 4768 | 2 | 0.42 % |
-| 8 | 2 | 0.42 % |
-| 6 | 2 | 0.42 % |
-| 4728 | 2 | 0.42 % |
-| 5007 | 2 | 0.42 % |
-| 30 | 2 | 0.42 % |
-| 4738 | 2 | 0.42 % |
+| 12 | 2 | 0.41 % |
+| 4768 | 2 | 0.41 % |
+| 8 | 2 | 0.41 % |
+| 6 | 2 | 0.41 % |
+| 4728 | 2 | 0.41 % |
+| 5007 | 2 | 0.41 % |
+| 30 | 2 | 0.41 % |
+| 4738 | 2 | 0.41 % |
 | 4706 | 1 | 0.21 % |
 | 4707 | 1 | 0.21 % |
 | 4661 | 1 | 0.21 % |
@@ -576,16 +577,16 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | 16 | 1 | 0.21 % |
 
 ## EventProviders occurences in rules
-| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 481) |
+| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 482) |
 | ------- | ------------------------- | ------------------------------------------------------ |
-| Microsoft-Windows-Sysmon | 290 | 60.29 % |
-| Microsoft-Windows-Security-Auditing | 82 | 17.05 % |
-| Microsoft-Windows-PowerShell | 46 | 9.56 % |
-| Kernel-Process | 41 | 8.52 % |
-| Service Control Manager | 11 | 2.29 % |
+| Microsoft-Windows-Sysmon | 290 | 60.17 % |
+| Microsoft-Windows-Security-Auditing | 82 | 17.01 % |
+| Microsoft-Windows-PowerShell | 46 | 9.54 % |
+| Kernel-Process | 42 | 8.71 % |
+| Service Control Manager | 11 | 2.28 % |
 | Microsoft-Windows-Windows Defender | 9 | 1.87 % |
-| Microsoft-Windows-Kernel-File | 5 | 1.04 % |
-| Microsoft-Windows-DNS-Client | 2 | 0.42 % |
+| Microsoft-Windows-Kernel-File | 6 | 1.24 % |
+| Microsoft-Windows-DNS-Client | 2 | 0.41 % |
 | Microsoft-Windows-Backup | 1 | 0.21 % |
 | Microsoft-Windows-DHCP-Server | 1 | 0.21 % |
 | Application Error | 1 | 0.21 % |
@@ -600,9 +601,9 @@ The colors of the EventIDs in this page should be interpreted as follow:
 | Microsoft-Windows-Kernel-General | 1 | 0.21 % |
 
 ## EffortLevel x EventIDs
-| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 481 |
+| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 482 |
 | ------------ | -------- | ----------------------- | ------------------------------------------------------- |
-| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4688, 4720, 4726, 4728, 4729, 4732, 4743, 4768, 5, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 98 | 20.37 % |
-| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 25, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4799, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 121 | 25.16 % |
-| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 171 | 35.55 % |
-| elementary | 1, 10, 11, 1116, 13, 15, 17, 25, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 4887, 5, 5136, 7, 7045, 8 | 91 | 18.92 % |
\ No newline at end of file
+| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4688, 4720, 4726, 4728, 4729, 4732, 4743, 4768, 5, 5007, 5140, 5145, 64, 7, 79016668, 8001, 83820799, 98 | 98 | 20.33 % |
+| advanced | 1, 10, 11, 1116, 1127, 13, 15, 17, 21, 22, 23, 25, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4799, 5, 5136, 5145, 5154, 5156, 6416, 7, 7045, 8 | 121 | 25.1 % |
+| intermediate | 1, 10, 1000, 1033, 1034, 11, 1102, 1116, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4662, 4663, 4688, 4697, 4698, 47, 4720, 4738, 4741, 4768, 4794, 4825, 5, 5136, 5145, 524, 6, 7, 7045 | 172 | 35.68 % |
+| elementary | 1, 10, 11, 1116, 13, 15, 17, 25, 325, 4103, 4104, 4625, 4663, 4688, 4697, 4704, 4720, 4738, 4887, 5, 5136, 7, 7045, 8 | 91 | 18.88 % |
\ No newline at end of file